Auth: gate OpenAI OAuth TLS preflight in doctor

src/commands/openai-codex-oauth.test.ts

@@ -105,6 +105,39 @@ describe("loginOpenAICodexOAuth", () => {
     );
   });
 
+  it("continues OAuth flow on non-certificate preflight failures", async () => {
+    const creds = {
+      provider: "openai-codex" as const,
+      access: "access-token",
+      refresh: "refresh-token",
+      expires: Date.now() + 60_000,
+      email: "user@example.com",
+    };
+    mocks.runOpenAIOAuthTlsPreflight.mockResolvedValue({
+      ok: false,
+      kind: "network",
+      message: "Client network socket disconnected before secure TLS connection was established",
+    });
+    mocks.createVpsAwareOAuthHandlers.mockReturnValue({
+      onAuth: vi.fn(),
+      onPrompt: vi.fn(),
+    });
+    mocks.loginOpenAICodex.mockResolvedValue(creds);
+
+    const { prompter } = createPrompter();
+    const runtime = createRuntime();
+    const result = await loginOpenAICodexOAuth({
+      prompter,
+      runtime,
+      isRemote: false,
+      openUrl: async () => {},
+    });
+
+    expect(result).toEqual(creds);
+    expect(mocks.loginOpenAICodex).toHaveBeenCalledOnce();
+    expect(runtime.error).not.toHaveBeenCalledWith("tls fix");
+    expect(prompter.note).not.toHaveBeenCalledWith("tls fix", "OAuth prerequisites");
+  });
   it("fails early with actionable message when TLS preflight fails", async () => {
     mocks.runOpenAIOAuthTlsPreflight.mockResolvedValue({
       ok: false,